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IN THE CLAIMS 

Please amend the claims as follows: 



1 . (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

a) receiving i first and second information elements from the potential relay device, a 
first information element and a second information element, wherein the potential 
relay device is an original source of said second information element; and 

b) determining , using a relay detection system implemented at least in part in 
hardware, whether that a feature of an original source of said first information 
element and a feature of the potential relay device are features unlikely to relate to 
a single device, wherein a positiv e r e sult of said determining [[is]] being 
indicative that the potential relay device is a relay device. 

2. (Original) The method of claim 1 wherein said second information element is of a type 
that a relay device of a class of relay devices is unlikely to relay. 

3. (Previously Presented) The method of claim 2 wherein said class of relay devices is 
selected from the group consisting of a SOCKS proxy, an HTTP proxy using the GET method, 
an HTTP proxy using the CONNECT method, an IP router and a NA T device. 

4. (Original) The method of claim I wherein said second information element is part of a 
communication, wherein the communication is of a type selected from the group consisting of 
IP, TCP, ICMP, DNS, HTTP, SMTP, TLS, and SSL. 

5. (Original) The method of claim 1 wherein said first information element is part of a 
communication, wherein the communication is of a type selected from the group consisting of 
IP, TCP, ICMP, DNS, HTTP, SMTP, TLS, and SSL. 
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6. (Original) The method of claim 1 wherein said first and said second information elements 
are parts of a single communication. 



7. (Original) The method of claim 6 wherein said first and said second information elements 
are sent in two different layers of a protocol stack. 

8. (Original) The method of claim 1 wherein said stage of determining comprises: 

i) discovering said feature of an original source of said first information element; 
and 

ii) discovering said feature of the potential relay device. 

9. (Original) The method of claim 8 wherein said stage of determining further comprises: 

iii) comparing said feature of an original source of said first information element with 
said feature of the potential relay device. 

10. (Original) The method of claim 8 further comprising: 

c) obtaining a parameter indicative of said feature of an original source of said first 
information element; and 

d) obtaining a parameter indicative of said feature of the potential relay device. 

1 1 . (Original) The method of claim 8 wherein said stage of determining further comprises: 
iii) considering a time at which at least one of said feature of an original source of 

said first information element and said feature of the potential relay device, was 
discovered. 

12. (Original) The method of claim 1 further comprising: 

c) obtaining a parameter indicative of a relationship between said feature of said 

original source of said first information element and said feature of the potential 
relay device. 
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13. (Original) The method of claim 12, wherein said stage of determining includes analyzing 
said parameter indicative of a relationship between said feature of said original source of said 
first information element and said feature of the potential relay device. 

14. (Original) The method of claim 12 wherein said parameter is obtained from at least one 
of said first information element and said second information element. 

15. (Original) The method of claim 1 further comprising: 

c) sending an outgoing communication to at least one of said original source of said 
first information element and the potential relay device; and 

d) Receiving a third information element from said at least one of said original 
source of said first information element and the potential relay device. 

16. (Previously Presented) The method of claim 15, further comprising: 

e) deriving from said third information element information related to a feature of 
said at least one of said original source of said first information element and the 
potential relay device. 

17. (Original) The method of claim 15 further comprising: 

iii) verifying that an original source of said third information element is said original 
source of said first information element 

18. (Original) The method of claim 15 further comprising: 

iii) verifying that an original source of said third information element is the potential 
relay device. 

19. (Original) The method of claim 15 wherein said third information element is selected 
from the group consisting of an ICMP message, an ICMP Echo Reply message, a DNS query, an 
HTTP request, an HTTP response, an HTTP 'Server' header, an IP address, a TCP port, a TCP 
Initial Sequence number, a TCP Initial Window, a WHOIS record, and a reverse DNS record. 
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20. (Original) The method of claim 1 wherein at least one of said feature of an original 
source of said first information element and said feature of the potential relay device is a feature 
related to a configuration status. 

21 . (Original) The method of claim 20 wherein said feature related to a configuration status is 
selected from the group consisting of an operating system type, an operating system version, a 
software type, an HTTP client type, an HTTP server type, an SMTP client type, an SMTP server 
type, a time setting, a clock setting and a time zone setting. 

22. (Original) The method of claim 21 wherein said determining includes examining a 
parameter indicative of said feature related to a configuration status. 

23. (Previously Presented) The method of claim 22 wherein said parameter is selected from 
the group consisting of an HTTP 'User-Agent' header, an RFC 822 'X-Mailer' header, an RFC 
822 'Received' header, an RFC 822 'Date' header, a protocol implementation manner, a TCP/IP 
stack fingerprint, an IP address, a TCP port, a TCP initial sequence number, a TCP initial 
window, a WHOIS record, and a reverse DNS record. 

24. (Original) The method of claim 1 wherein at least one of said feature of a source of said 
first information element and said feature of the potential relay device is a feature related to 
communication performance. 

25. (Original) The method of claim 24 wherein said feature related to communication 
performance is selected from the group consisting of a measured communication performance, a 
measured relative communication performance, and an estimated communication performance. 



AMENDMENT AND RESPONSE UNDER 37 C.F.R § 1.111 Page 6 

Serial Number: 10/5 85 ,5 17 Dkt: 2043.561US1 

Filing Date: July 10, 2006 

Title: DETECTING RELAYED COMMUNICATIONS 



26. (Original) The method of claim 24 wherein said feature related to communication 
performance is selected from the group consisting of a latency of communication, a latency of an 
incoming communication, a latency of an outgoing communication, a round trip time of a 
communication, a communication rate, an incoming communication rate, an outgoing 
communication rate, a maximum communication rate, an incoming maximum communication 
rate, and an outgoing maximum communication rate. 



27. (Original) The method of claim 24 wherein said determining includes examining a 
parameter indicative of said feature related to communication performance. 

28. (Original) The method of claim 27 wherein said parameter is selected from the group 
consisting of time of receipt of an information element, time of sending of an information 
element, a round trip time, a round trip time gap, an IP address, a Whois record, a reverse DNS 
record, and a rate of acknowledged information. 

29. (Original) The method of claim 28 wherein a higher round trip time gap is indicative of a 
higher likelihood that a relay device is being used for malicious purposes. 

30. (Original) The method of claim 24, wherein said feature related to communication 
performance is estimated from information about at least one of said original source of said first 
communication and the potential relay device. 

3 1 . (Previously Presented) The method of claim 30, wherein said information about at least 
one of said original source of said first communication and the potential relay device is selected 
from the group consisting of a location of a device, a reverse DNS record of a devicea's IP 
address, and an administrator of a device. 



32. (Original) The method of claim 1 wherein at least one of said feature of an original 
source of said first information element and said feature of the potential relay device is selected 
from the group consisting of a subnetwork, an administrator, and a location. 
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33. (Previously Presented) The method of claim 32 wherein said determining includes 
examining a parameter indicative of at least one of said feature of a source of said first 
communication and said feature of a source of said second communication, and said parameter is 
selected from the group consisting of an HTTP 'User- Agent' header, an RFC 822 'X-Mailer' 
header, an RFC 822 'Received' header, an RFC 822 'Date' Header, an IP address, a WHOIS 
record, and a reverse DNS record, 



34. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

a) receivings first and second information elements from the potential relay device, a 
first information element and a second information element, wherein the potential 
relay device is an original source of said second information element; [[and]] 

b) analyzing a configuration status of an original source of at least one of said first 
and said second information elements, said configuration status selected from the 
group consisting of an operating system type, an operating system version, a 
software type, an HTTP client type, an HTTP server type, an SMTP client type, 
an SMTP server type, a time setting, a clock setting, and a time zone setting ; and 
[[• •]] 

c) determining, using a relay detection system, whether a feature of an original 
source of said first information element and a feature of the potential relay device 
are features unlikely to relate to a single device. 
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35. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

a) receiving., first and second information elements from the potential relay device, a 
first information element and a second information element, wherein the potential 
relay device is an original source of said second information element; [[and]] 

b) analyzing , using a relay detection system, a feature related to communication 
performance of an original source of at least one of said first and said second 
information elements ; and [[.]] 

c) determining, using a relay detection system, whether a feature of an original 
source of said first information element and a feature of the potential relay device 
are features unlikely to relate to a single device. 

36. (Original) The method of claim 35, wherein said feature related to communication 
performance is selected from the group consisting of a latency of communication, a latency of an 
incoming communication, a latency of an outgoing communication, a round trip time of a 
communication, a communication rate, an incoming communication rate, an outgoing 
communication rate, a maximum communication rate, an incoming maximum communication 
rate, and an outgoing maximum communication rate. 



37. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

a) sending a message to an information source device, triggering said information 
source device to send a DNS request to a DNS server ; 

b) monitoring said DNS request from said information source device to said DNS 
server; and 

c) determining , using a relay detection system, from said DNS request whether said 
potential relay device is a relay device. 
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38. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

a) receiving., first and second information elements from the potential relay device, a 
first information element and a second information element ; and 

b) determining , using a relay detection system, that whether a feature of an original 
source of said first information element and a feature of an original source of said 
second information element are features unlikely to relate to a single device, 
wherein a positive result of said determining [[is]] being indicative that the 
potential relay device is a relay device. 

39. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

a) receivings first and second information clcmonts from the potential relay device, a 
first information element and a second information element , wherein the potential 
relay device is an original source of said second information element; and 

b) checking , using a relay detection system, whether a round-trip time to the 
potential relay device is significantly different than a round-trip time to an 
original source of said first information element. 



40. (Canceled) 



41 . (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

a) receivings first and second information elements from the potential relay device, a 
first information element and a second information element , wherein the potential 
relay device is an original source of said second information element; and 

b) checking , using a relay detection system, whether a location of the potential relay 
device is different than a location of an original source of said first information 
element. 
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42. (Cancelled) 

43. (Currently Amended) A method of determining whether a potential relay device is a relay 
device, the method comprising: 

a) determining , using a relay detection system, whether a feature of an original 

source of a first information element and a feature of the potential relay device are 
features unlikely to relate to a single device, wherein the potential relay device is 
a transmitter of said first information element and of a second information 
element, wherein the potential relay device is an original source of said second 
information element wherein a positive result of said determining is indicative 
that the potential relay device is a relay device 

44. (Currently Amended) A system , implemented at least in part in hardware, to determine 
for determining whether a potential relay device is a relay device, the system comprising: 

a) an information element receive r, for r e c e iving to receive information elements 
from a plurality of devices including an information source device and the 
potential relay device; and 

b) a feature incompatibility analyzer, using a feature database, to determine fer 
determining whether a feature of said information source device and a feature of 
the potential relay device are features unlikely to relate to a single device. 

45. (Original) The system of claim 44 further comprising: 

c) a feature discovery module, for discovering at least one feature selected from the 
group consisting of a feature of said information source device and a feature of 
the potential relay device. 

46. (Original) The system of claim 44, wherein said information element receiver is further 
configured to receive information elements from a monitored host. 
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47. (Original) The system of claim 44, wherein further comprising: 
c) an outgoing information element sender. 

48. (Original) The system of claim 44, further comprising: 

c) a parameter obtainer, for obtaining at least one parameter selected from the group 
consisting of a parameter indicative of a feature of an information source device, a 
parameter indicative of a feature of the potential relay device, and a parameter 
indicative of whether a feature of said information source device and a feature of 
said potential relay device are features unlikely to relate to a single device. 

49. (Original) The system of claim 44, further comprising: 

c) a feature database for storing a map between pairs of features and data indicative 
of whether said pairs of features are incompatible features. 

5 0 . (Currently Amended) Computer software, residing on a A computer-readable non- 
transitory storage medium[[,]] comprising instructions , which when executed by for causing a 
computer cause the computer to perform operations comprising : 

a) receive^ first and second information elements from the potential relay device, a 
first information element and a second information element, wherein the potential 
relay device is an original source of said second information element; and 

b) determine whether a feature of an original source of said first information element 
and a feature of said potential relay device are features unlikely to relate to a 
single device, wherein a positive result of said determining is indicative that said 
potential relay device is a relay device. 
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